Consumer Reports Finds Numerous Home Routers Lack Even Basic Security Protections
from the the-check-will-come-due dept
For years now many hardware vendors have failed utterly to implement even basic security protections on most consumer-grade routers. D-Link, for example, just settled with the FTC after being sued for shipping routers with numerous vulnerabilities and default username/password combinations, despite advertising its products as “easy to secure” and replete with “advanced network security.” Asus was similarly dinged by the FTC for shipping gear with numerous flaws and easily-guessed default username and password combinations.
As such, it’s not too surprising to see a new Consumer Reports study that found that a large number of mainstream residential routers lack even rudimentary security protections. 11 of the 26 major router brands examined by the organization came with flimsy password protection. 20 of the routers let users only change the password, but not the username of web-based router management clients. 20 of the routers also failed to protect users from repeated failed password login attempts, now commonplace on most apps, phones, and other services.
Two thirds of the routers tested came with UPnP enabled by default:
“Unless you have a device or some software that specifically asks for it, it?s smart to turn this off, because UPnP has a history of serious security vulnerabilities. But our recent survey found that most people who buy a router don?t adjust the settings, and even fewer may think to turn off UPnP.”
Many attacks are made easier thanks to Luddite users. But there’s a universe of steps these vendors could be taking that would make a dramatic impact, such as requiring that users change the default username and password before they’re able to actually use the router. But, just like the security and privacy apathy seen in the IOT space, many vendors don’t want to spend the money necessary to fix older gear, or even implement meaningful improvements in new kit. As a result, much of this gear is easily hijacked and integrated into botnets within minutes of being connected to the internet. Hardware vendors don’t care as they’ve already made a sale, and consumers often lack the technical know-how to even know they’ve been compromised.
As Consumer Reports notes, given the router’s integral role in everything done in your home, it remains fairly dumbfounding that we’re still collectively begging router manufacturers to give a damn:
“Routers are a critical part of our homes,? says Robert Richter, who oversees security and privacy testing for Consumer Reports. ?They are the conduit through which all of your data travels, so it?s crucial that we look closely at how they handle security. We hope both consumers and the industry pay close attention to our findings.”
Of course if you’ve checked in with the dumpster fire that is security and privacy standards in the IOT space, shoddy routers are just one small part of a much broader problem. To that end Consumer Reports has done some really stellar work trying to create an open standards system that can be used to include security and privacy vulnerabilities in product reviews, helping to steer consumers away from buying gear from vendors who pretty clearly couldn’t give a damn about consumer security and privacy.
Comments on “Consumer Reports Finds Numerous Home Routers Lack Even Basic Security Protections”
UDP is the new bad guy?
UDP is definitely evil. It makes DNS and DHCP and BOOTP and lots of things work. If we got rid of UDP and IP we’d have a lot less problems with IoT.
Seriously, I can only think MAYBE you meant UPnP and proofreading is too hard.
E
Re: UDP is the new bad guy?
None of those things you need hitting the outside world from a home network.
Re: Re: UDP is the new bad guy?
Oh, IDK. I am somehow attached to my VPN, and guess what – it works on UDP.
Re: Re: UDP is the new bad guy?
UDP is used for lots of useful stuff including DNS to e.g. Google’s servers at 8.8.8.8/8.8.4.4. Of course YOU don’t need that. You don’t need to be on the net at all… because you’re OK with being on an internal network where all services are offered on a COMPROMISED IoT router.
You did read the original article, right?
Oh. No?
Try that first.
E
Re: UDP is the new bad guy?
pretty sure it’s a typo.
Re: Re: UDP is the new bad guy?
Tireless Zombie Hunter
Reviving after nearly FOUR YEARS for a typo, it’s "bratwurzt"!
Or, with the name change characteristic of zombies, on 2nd only "JohnnyG", or on first only, "Duan". 262 comments which is average 31 per year if count the 4 year gap. Went to rest Sep 7th, 2015, yet is now 8 years old: 26 Feb 2011.
The reason why popped up just puts sparkles on the icing. Evidently is first typo "bratwurzt" noticed in FOUR YEARS, yet I’m pretty sure have been others.
In. Cred. Ible. The obvious conclusion is still the only one: astro-turfing.
But the fanboys go on without noticing. How many of them are fake accounts too?
Here’s four more "accounts" with recent activity which are ODD:
mcherm or Michael Chermside: 45 (5), 39 mo gap; 29 Apr 2009 https://www.techdirt.com/user/mcherm
GHB: 14 (5), 14 mo gap; Dec 6th, 2016 https://www.techdirt.com/user/ghb (perhaps the least odd, but on the increase after neglected…)
Bill Silverstein or William Silverstein: 44 (4), no 2018, 18 mo gap; 37 mo gap after first; 16 Sep 2007 https://www.techdirt.com/user/silverstein
jonr: 18 (3), sparse, year gap after first Oct 22nd, 2013 https://www.techdirt.com/user/jonr
With astro-turfing confirmed, all newbies are of course suspect. Also keep your eye on:
Scary Devil Monastery: 956, (special case!), resumed 8 Aug 2018, all but one comment in last year, with 65 month gap after first! 1 Mar 2013 https://www.techdirt.com/user/perge74
Re: Re: Re: UDP is the new bad guy?
Add me to your list of "shills", since apparently losing interest in this site for a couple years is proof of that now?
Although you’ll have to dig a bit further than just a user profile page since Techdirt appears to have purged my account at some point and I haven’t bothered to re-register yet. Can still find my old posts on Google though! Most recent one (besides those from the past month) that I found was 2010. Must mean I waited ten years just to come back and "astro-turf" about…something…?
Sometimes people leave, sometimes they come back. If you think that alone is proof of a conspiracy, you might want to seek some professional help….sounds like you’re having some paranoid delusions.
Re: Re: Re: UDP is the new bad guy?
LOL, I love how you are so obsessed with this site and it’s people that rather than discuss the actual article, you attack the people for not posting enough. Would you add my account to your love list as well since I read daily but post rarely? That would make me happy and I hope it fills your heart with joy as well.
Re: Re: Re: UDP is the new bad guy?
Ooooo. That is cool. What is your hypothesis on my account? I currently don’t remember my account name or which email I used to create it. I would say it has been about 2 years, maybe even longer, that I last posted anything with it. But I have been on and off Techdirt for about 10 years. I still occasional post a couple times a week as an AC and other times I take a month or two off. Does that make me some sort of russian agent or a antifa shill of some sort? Do I win anything?
Re: Re: Re: UDP is the new bad guy?
As usual Baghdad Bob views a 5 year hiatus from the online environment odd when in reality that’s just people having a real life.
"Scary Devil Monastery: 956, (special case!), resumed 8 Aug 2018, all but one comment in last year, with 65 month gap after first! 1 Mar 2013"
And as anyone can readily tell by casually reading my comments then and now I’m still the same person.
As, apparently, are you, Baghdad Bob, still grasping for EVERY straw you can in order to marginalize anyone who DARES question holy copyright.
I’ll remind you know what i told you way back when, that when you feel the urge to take a dump the proper place to do it is the bathroom, not in the poor innocent textbox popup receiving your "offerings" for the forum board.
Re: UDP is the new bad guy?
As someone else pointed out, that’s not UDP (which IS a thing, but it does none of the things described). UDP is sibling protocol of TCP.
What you, and the article are describing is however consistent with UPnP (which is a totally different protocol).
Re: Re: UDP is the new bad guy?
lol. And then I fail at reading :/
Re: UDP is the new bad guy?
Hey, guy who’s always telling everyone how stupid they are because of an occasional typo or grammatical error:
Fewer problems, not less.
Re: Re: UDP is the new bad guy?
SO you’re ok with discssing UDP and UPnP as if they’re the same thing but "a lot less" and "fewer" get your panties in a bunch.
Roger, got it. Please unbunch your panties and go back to discussing the topic. Hint: it’s in the article above.
Best regards and best wishes for your eventual recovery,
E
Re: Re: Re: UDP is the new bad guy?
Thank you for clearly labeling your strawman.
No. I think pointing out that "UDP" was a typo and it should have said "UPnP" was reasonable, and if you hadn’t done it I was about to do it myself. Politely.
What I have a problem with is you being a condescending prick about it. What I have a bigger problem with is that you do this all the time.
No, I’m afraid you’ve missed the point of my post.
I really don’t give a shit whether you confuse "less" and "fewer". I do think it bears pointing out your blistering hypocrisy in constantly talking down to other people and calling them "stupid" and "illiterate" for making minor grammatical mistakes, when your own grammar is not nearly so impeccable as your overinflated and irony-impaired self-perception would have it.
You mean like that time you whined about Karl saying "myself" instead of "me", or that time you whined about Karl using the word "hijack" to describe impersonation, or the numerous times you’ve whined about Karl saying "ISP" when he meant "ISP owned by a cable company", or whatever the fuck it was you were talking about here and here?
Yes, E. It’s fucking annoying when somebody whines about an irrelevant detail of somebody’s word choice instead of focusing on what they’re actually talking about. So maybe you should stop doing it all the time.
Re: Re: Re:2 UDP is the new bad guy?
Oh my god, good job mastering linking to things.
Merry Christmas, or whatever it is you should think you’re doing.
E
P.S. Bwahahahaha
Re: Re: Re:2 UDP is the new bad guy?
Thad, it gives me great joy to see you froth at the mouth.
Now unbunch your panties and get back to work.
You are at work, right? As in employed, contributing to society, not trying to check up on what I post?
I appreciate all the "hard work" you do to curate links, and telling me what to post. Perhaps you’d like to be my editor? I could send you posts before I post them and you could offer constructive criticism.
If it helps your blood pressure I’m all for it.
Ehud "My BP is 120/60, and I get tested for every FAA certificate renewal — what’s yours?" Gavron
The users aren’t Luddites any more than the average person isn’t anti-medicine because they can’t interpret an MRI. This is just one reason why markets and their suppliers need to be regulated. Just as the U.S. doesn’t even scrutinize routinely deployed chemicals until people start dropping dead, so do they ignore security unless “law enforcement” says it’s a threat. What’s obvious to some is a dark art to most humans.
Re: Re:
"The users aren’t Luddites any more than the average person isn’t anti-medicine because they can’t interpret an MRI."
I used to believe that once upon a time. I came to the conclusion that although users are generally receptive to new tech they are all too often highly resistant towards learning the most basic concepts about said tech.
If the average John or Jane Doe used the same approach towards their cars and bikes that they do towards digital devices then less than 10% would be able to fill the car tank with gas and less than 1% would be able to top up the oil or fix the tire pressure.
There’s nothing wrong with making tech simple and easy to use, but as a consumer base we’ve somehow bought the hype that the manufacturers will do all the heavy lifting and we shouldn’t even ask questions.
Re: Re: Re:
I admit that I leave checking the tire pressure of my car to the mechanics… but I can fill my tank. And I know how to repair a punctured tire on my bicycle. Most people know what cables to put in which sockets on their computer, which would put them at least at "filling the gas tank" level for a car.
Most people are taught how to lock a car, but most people are not told how they can set up WPA, such things are hidden in complex user interfaces. (Anyway, wifi access is more convenient without having to use a password, so that’s how the device is shipped by default.)
And the problem with educating people is that tech changes fast enough to make the education outdated in a few years. A walk-through of settings for a specific modem will be outdated at the next UI change (one year). And there’s an acronym soup (POP, IMAP, STMP, SNMP, TCP, UDP, ICMP, SMB, TLS, SSL, FTP, RDP, …) that has to be explained. But the router/modem/gateway boxes have to be shipped quickly; manufacturers take no time for proper design and testing.
Re: Re: Re: Re:
"Most people know what cables to put in which sockets on their computer, which would put them at least at "filling the gas tank" level for a car."
…that has not been my experience at all. I know people who have let a brand new laptop sit on a shelf for over a year without even booting it up once because they "weren’t sure how to set it up" and were waiting for their techie friend to come deal with it.
In my experience, people who are not technically inclined have Best Buy come set up the computer, have a friend or co-worker show them which buttons to click in which order like it’s some freakin’ magic incantation, and if one icon moves over half an inch they’re calling tech support saying it’s "broken". Hell, in my experience even software developers typically outright refuse to read error messages and "don’t know how" to reinstall Windows. They could probably figure it out, but they refuse to even try…anything more involved that "click button and get instant gratification" is too much effort these days.
Not that people do any better with things like cars or televisions though…those are just standardized enough that they "learned" it once twenty years ago and have been coasting on that ever since….
Re: Re: Re:2 Re:
Remembering the last time I has to reinstall Windows, I can’t say I blame them, as it was almost as painful as an Arch Install, just requiring less intelligence..
Re: Re: Re: Re:
"And the problem with educating people is that tech changes fast enough to make the education outdated in a few years."
When it comes to protocols and applications, yes. But that’s not the level I’m talking about here.
We’re talking about people who don’t bother enough to even loosely understand the concept of "ports" or how a computer basically must work.
And that level, again applied to the concept of the car, is someone who doesn’t realize why the car needs gas and oil or why the tires need a certain pressure.
How to batten down those hatches?
Famous vendors could take more responsibility for their brand’s loosey goosey defaults. Or some other mob should step up to take the reins.
Would be good if news articles helped us action insecure defaults on devices.
A simple Google search returns…
1) Tom’s long list of technical steps with no explanation beyond a link to
2) a site claiming to be an ethical security organisation/person, who will freely scan your system from their end, make specific recommendations, prioritise them, explain the trade offs, and show you the required technical steps.
Alas not updated since circa Windows 95.
What is the best link for me to perform a security checkup and slowly begin taking the actions to become more secure?
Re: How to batten down those hatches?
You seem to think that a news commentary site should offer you technical help, but technical help is not their function.
Re: How to batten down those hatches?
There isn’t a website that can detect that easily as it isn’t always apparent what is a security hole or put there on purpose. Also they may not be attacking your from you internet connection and instead from a nearby by wifi location. For a home network, your best step is to make sure everything is locked down and has a mainly a good wifi password and good password to get into your router. Make sure your IOT items aren’t producing their own wifi and allowing back doors into your network. If you know how to do some basic configurations, go in and disable options you likely won’t use. Telnet, SSL, SNMP, FTP, useful utilities but if you don’t know how to use them then it will just make it harder for someone to get in if they are off. Know ahead of time how to do a factory reset on your router incase you break something during the process. Don’t ever use the DMZ option on your router. If whatever you are doing requires you to use the DMZ then learn about port forwarding instead. Saying all this, I am a bit lazy myself on some security options. My important stuff is locked down tightly but some of the less important stuff is left a little bit open for more convenience sake. If it ever gets hacked, a quick wipe and reset stops the problem.